b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n  THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n  CONTRACT WITH UNIFIED CONSULTANTS\n      GROUP, INC., CONTRACT NUMBER\n              SS00-05-60015\n\n     September 2008   A-15-08-18033\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                             SOCIAL SECURITY\nMEMORANDUM\n\nDate:      September 26, 2008                                                                         Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s Contract with Unified Consultants Group, Inc.,\n           Contract Number SS00-05-60015 (A-15-08-18033)\n\n\n           OBJECTIVE\n\n           Our objectives were to determine whether the contractor was complying with the\n           contract terms and applicable Social Security Administration (SSA) policies, and to\n           ensure SSA personnel were properly monitoring the contract. We also determined\n           whether SSA was maximizing the use of the benefits rendered from the contractor\xe2\x80\x99s\n           services.\n\n           BACKGROUND\n\n           On July 22, 2005, SSA awarded Unified Consultants Group, Inc., (UCG) a contract to\n           conduct physical security facility reviews (PSFR) at SSA facilities 1 nationwide. The\n           PSFR program is designed to assess the adequacy of physical security measures in\n           place at an SSA facility and determine whether there are vulnerabilities that must be\n           addressed. Physical security includes those safeguards that protect SSA facilities, staff\n           and visitors, information, and equipment, but excludes computer systems security.\n           Refer to Appendix D for a list of UCG\xe2\x80\x99s most frequently identified field office security\n           issues. SSA\xe2\x80\x99s Administrative Instructions Manual System (AIMS) defines the priority of\n           physical security issues by designating the most serious security problems as Tier 1,\n           and lesser security issues as Tier 2. Physical security issues relating to fire safety and\n           training are classified as health and safety issues. See Appendix E for a list of Tier 1\n           and Tier 2 security requirements.\n\n\n\n\n           1\n            SSA facilities may include (1) field offices, (2) Offices of Disability Adjudication and Review (ODAR),\n           (3) Contact Stations, (4) ODAR Remote Sites, (5) teleservice centers, (6) regional offices, (7) program\n           service centers, (8) the Regional Training Center, (9) the National Records Center, (10) the Regional\n           Office Warehouse and (11) SSA Headquarters.\n\x0cPage 2 - The Commissioner\n\n\nThe contract requires that UCG review 312 offices at a cost of $2,773,332.\n\n\n                                                              Number\n                   Period of Performance                     of Offices       Total Amount\n             Base Year - Fiscal Year (FY) 2006                  100               $881,590\n             Option Year 1 - FY 2007                            106               $890,821\n             Option Year 2 - FY 2008                            106             $1,000,921\n             Total                                              312             $2,773,332\n\nThe SSA Office of Facilities Management (OFM), Office of Protective Security Services,\n(OPSS) is responsible for ensuring a safe and secure workplace for Social Security\nemployees nationwide. OPSS personnel are responsible for managing and monitoring\nthe UCG contract. OPSS\xe2\x80\x99 responsibilities under this contract include (1) selecting the\nSSA facilities to be reviewed, (2) ensuring UCG\xe2\x80\x99s compliance with the contract,\n(3) reviewing UCG\xe2\x80\x99s completed PSFR reports, (4) monitoring the facilities\xe2\x80\x99 responses to\nUCG\xe2\x80\x99s recommendations and (5) examining and approving UCG\xe2\x80\x99s invoices.\n\nSecurity Assessments and Funded Enhancements\n\nOFM developed and implemented the Security Assessments and Funded\nEnhancements (SAFE) system, which is a secure web portal, to provide a central\nrepository of physical security reports, information and tools 2 to assist in managing the\nAgency\xe2\x80\x99s physical and protective security program. SAFE, which has been available on\nthe SSA Intranet since October 1, 2007, provides a means of better tracking security\nreviews for a designated activity, corrective actions taken to correct deficiencies and\nfunding use for security compliance. All field office managers, assistant managers and\narea directors have access to their offices\xe2\x80\x99 physical security data on SAFE.\n\nBefore SAFE was implemented, SSA\xe2\x80\x99s regional physical security coordinators and\nOffice of Disability Adjudication and Review (ODAR) Physical Security Coordinators\n(PSC) maintained varying forms of documentation to track corrections and request\nfunds from OPSS, if necessary, to assist in resolving the identified physical security\nissues.\n\nRESULTS OF REVIEW\n\nOverall, we found UCG was conducting the PSFRs in compliance with the contract\nterms and applicable SSA policy, and OPSS personnel were properly managing and\nmonitoring the UCG contract. We found UCG completed the required number of\nPSFRs within the required time frames, and submitted reports with the information\nrequired by the contract. However, we found (1) inadequate follow-up of outstanding\n2\n  SAFE provides information on-line, which includes a Physical Security Action Plan, and tools, such as an\nOccupant Emergency Plan Questionnaire, electronic logs (intrusion detection system testing and\nactivation; duress alarm testing and activation; fire extinguisher inspection; emergency lighting testing; key\nlogs; training logs; and evacuation drills), and an online Physical Security Self-Assessment Questionnaire.\n\x0cPage 3 - The Commissioner\n\n\nFY 2006 and FY 2007 PSFR recommendations, (2) inefficient use of SAFE, and (3) a\nmissing suitability determination. In addition, we believe SSA is not maximizing the\nbenefits of services rendered under the UCG contract.\n\nInadequate Follow-up of Outstanding FY 2006 and 2007 PSFR Recommendations\n                                                                  3\nThe office manager must address each PSFR security team finding. The PSFR is a\ncomprehensive review that checks for approximately 70 potential physical security\nissues. Any disagreement with a finding or suggested remediation method must be\npresented to the Regional or ODAR Headquarters PSC, who will present the issue to\nOPSS for resolution. 4\n\nWe reviewed 38 PSFRs consisting of 18 and 20 PSFRs for FYs 2006 and 2007,\nrespectively. These PSFRs identified 577 recommendations. For the FY 2006 and\n2007 PSFRs, OPSS passed the PSFR reports to the regions to address the UCG\nidentified security issues. Our review of the regional and ODAR PSC responses to the\nstatus of UCG\xe2\x80\x99s recommendations found that 311 (54 percent) of the\n577 recommendations were closed; however, 266 (46 percent) of the recommendations\nremained open, as shown in the Table below.\n\n             Number of\n    Fiscal    PSFRs            Closed                    Open                    Total\n     Year    Reviewed      Recommendations          Recommendations         Recommendations\n     2006       18              154                       117                     271\n     2007       20              157                       149                     306\n    Total       38              311                       266                     577\n\nClosed Recommendations\n\nWe did not independently verify the information reported. As a result, we did not\nassess whether the recommendations were properly closed. The regional and ODAR\nPSC responses indicated that 42 of the 311 closed recommendations were closed\nbecause the office disagreed with the recommendation.\n\nOpen Recommendations\n\nThe regional and ODAR PSC responses indicated that 96 of the 266 open\nrecommendations pertained to areas requiring mandatory Tier 1 security\n\n\n\n\n3\n SSA\xe2\x80\x99s Administrative Instructions Manual System (AIMS), Materiel Resources Manual (MRM)\n\xc2\xa7 04.50.09, PSFR Program D.4.\n4\n    Id.\n\x0cPage 4 - The Commissioner\n\n\nenhancements. 5 The remaining 170 open recommendations related to less critical\nphysical security issues (Tier 2), 6 and health and safety issues. 7\n\nIn some instances, the PSCs could not provide information on the status of the\nrecommendation or stated the recommendation was still under review. For example, in\nOctober 2006, UCG found the exterior lighting in one field office was activated on a\ntimer between 5 p.m. and 8 p.m. UCG recommended that the lessor of the building\nreset the lights\xe2\x80\x99 automatic timer to remain on during all hours of darkness. Sufficient\nlighting eliminates potential hiding areas and aids in security monitoring. However, as\nof April 2008, the PSC could not provide information as to whether this\nrecommendation had been addressed or resolved. UCG is completing its work as\nrequired by the contract and making recommendations, therefore, the PSCs should be\nmore responsive in completing the required corrective actions, and OPSS along with\nthe Region and ODAR PSCs should ensure all recommendations are addressed.\n\nAlso, we found SSA had not addressed 56 recommendations identified in the FY 2006\nreviews. All of these reviews were completed during October through December 2005.\nIn one instance, the PSC\xe2\x80\x99s response indicated action was taken. In November 2005,\nUCG identified an expired fire extinguisher in a field office computer room that may not\nhave worked in the event of a fire. In April 2008, we performed a site visit and found\nthe fire extinguisher had been removed. We were informed the field office was\nreplacing the fire extinguisher. Additionally, a PSFR conducted in April 2007 found fire\n                                                     8\nextinguishers were not clearly marked. SSA policy indicates fire extinguishers should\nbe mounted where they are easily seen and accessed, and where visual obstructions\ncannot be avoided the location must be conspicuously marked. Accordingly, labels\nshould be applied that conspicuously indicate the positions of obstructed fire\nextinguishers. In April 2008, we performed a site visit and found the labels of certain\nobstructed fire extinguishers were too low to be seen over office cubicle walls.\n\n\n\n\n5\n  AIMS, General Administration Manual (GAM) \xc2\xa7 12.06.07 C, Tier 1 Security Enhancements. This policy\nrequires SSA management to ensure that, in SSA offices dealing with the public, mandatory Tier 1\nsecurity enhancements are in place.\n6\n AIMS, GAM \xc2\xa7 12.06.07 D, Tier 2 Security Enhancements. Although not mandated, management is to\nconsider Tier 2 enhancements.\n7\n    AIMS, GAM \xc2\xa7 13.04.09 Attachments A- J.\n8\n    AIMS, MRM \xc2\xa7 04.50.08.E.\n\x0cPage 5 - The Commissioner\n\n\nSSA\xe2\x80\x99s physical protective security program protects all Agency personnel, visitors,\nrecords, equipment and facilities. Inadequate physical protective security controls 9\ncould result in\n\n       1.   physical harm to employees and the public,\n       2.   damage to or loss of facilities,\n       3.   the compromise of personally identifiable information,\n       4.   theft,\n       5.   destruction of Government records and property,\n       6.   vulnerability to civil liability, and\n       7.   inability to carry out SSA\'s mission.\n\nThe examples noted above indicate that identified security issues existed for lengthy\nperiods of time. Additionally, the PSCs stated that some recommendations were still\nopen as a result of a pending action (such as requesting funds). However, we found\nthat 163 (61 percent) of 266 recommendations did not require funding, or the cost of\nthe repair and/or improvement was less than $200. Based on UCG\xe2\x80\x99s estimates, SSA\ncould resolve all 163 issues with as little as $2,963 in funding. While we recognize that\nSSA policy includes no specific timeframes for correcting security issues, we believe\n2 years should be sufficient time to resolve security issues\xe2\x80\x94particularly mandatory\nTier 1 issues.\n\nSSA is paying about $2.8 million for a contract meant to improve the security of all\nAgency personnel, visitors, records, equipment and facilities. However, SSA is not\ntaking timely action to correct security issues identified by the contractor. At the time of\nour review, many of the contractor\xe2\x80\x99s recommendations remained unimplemented and\nSSA facilities, data, and employees continued to be vulnerable.\n\nInefficient Use of SAFE\n\nStarting in FY 2008, UCG input the PSFR results directly into SAFE; therefore, all UCG\nrecommendations and cost estimates are included in SAFE. As previously stated, the\noffice manager must address each PSFR security team finding. 10 Any disagreement\nwith a finding or suggested remediation method must be presented to the Regional or\nODAR Headquarters PSC who will present the issue to OPSS for resolution. 11\n\nOPSS monitors the status of each finding and the implementation of corrective actions\nvia the SAFE web portal. The PSCs are responsible for contacting managers to obtain\n\n\n\n\n9\n    AIMS, MRM \xc2\xa7 04.50.02.B.\n10\n     AIMS, MRM \xc2\xa7 04.50.09.D.4.\n11\n     Id.\n\x0cPage 6 - The Commissioner\n\n\ncurrent information about the corrective actions implemented. The office manager is\nresponsible for marking the items \xe2\x80\x9cResolved\xe2\x80\x9d in SAFE after remediation is complete. 12\n\nWe reviewed 17 PSFRs for FY 2008 and found that 5 (29 percent) had included an\nentry in SAFE. For those regions that completed some form of entry in SAFE, we found\nmany input requests for funds, but did not identify any non-funded corrective action\nentries. Generally, for the non-funded corrective actions, there was no evidence the\nissue was addressed or resolved. Also, in several instances, the site managers stated\nthey had not heard of SAFE or had no training and/or understanding of how SAFE\noperated. Subsequent to our review, we learned that SAFE had not been officially\nrolled out nationwide until July 2, 2008. Therefore, offices may not have been using the\nsystem, although it was available.\n\nSAFE could be better used if SSA would require that the regions respond to all PSFR\nrecommendations (that is, funded and non-funded, and current and prior year) within\nthe SAFE web portal. OPSS stated that SSA policy is being revised to require the use\nof SAFE.\n\nMissing Suitability Determination\n\nWe reviewed the suitability determinations for the 9 contractor employees on this\ncontract. We identified one instance where SSA did not complete the suitability\nprocess for a UCG employee, causing non-compliance with the Security Requirement\nClause of the contract. Specifically, we identified one contractor employee (a\nsubcontractor with SEI) who had performed under the contract 13 for at least 2 years with\naccess to sensitive SSA information, who did not have a pre-screening or suitability\ndetermination. SSA\xe2\x80\x99s Center for Personnel Security and Project Management\n(CPSPM) confirmed that it had no suitability determination letter for this individual.\n\nAccording to CPSPM staff, processing of the suitability determination for this individual\nwas under another SSA contract with SEI. However, the SEI contract ended before the\nsuitability determination was completed; therefore, SSA stopped the suitability\ndetermination process, no continuation of the process took place under the current\ncontract with UCG. Also, UCG stated the SEI employee without the suitability\ndetermination had retired, and his replacement had submitted information for a\nsuitability determination.\n\nThe sensitive physical security information in the PSFR protects Agency personnel,\nvisitors, records, equipment and facilities; therefore, SSA must remain committed to\nsafeguarding its information. The SSA Office of Acquisition and Grants contract officer\nand the OPSS Contracting Officer\xe2\x80\x99s Technical Representative should consistently\n\n12\n     Id.\n13\n  SSA Contract Number SS00-05-60015, section C-4.6 Security Requirements Clause, (b) defines\n\xe2\x80\x9cperforming under the contract\xe2\x80\x9d as either working on-site at an SSA facility (including visiting the SSA site\nfor any reason) or having access to agency programmatic or sensitive information.\n\x0cPage 7 - The Commissioner\n\n\nmonitor the staffing of the contractor and any sub-contractor to ensure that only\napproved staff are allowed access to SSA\xe2\x80\x99s facilities and programmatic or sensitive\ninformation.\n\nCONCLUSION AND RECOMMENDATIONS\nWe found UCG was conducting the PSFRs in compliance with the contract terms and\napplicable SSA policies, and OPSS personnel were properly managing and monitoring\nthe UCG contract.\n\nHowever, SSA is not maximizing the potential benefits of the UCG contract; since SSA\nhas not completed the corrective actions on contractor recommendations timely,\neffectively and efficiently. Therefore, SSA should either take timely, effective and\nefficient action on the UCG recommendations, or SSA should modify future contracts to\nlimit the scope of the testing to those areas that the Agency considers more significant\nand is willing to resolve timely. The reduction in the scope of the PSFRs, to focus only\non the corrective actions that SSA would be willing to undertake, could result in\npotential savings to SSA in a lower contract cost.\n\nAlso, we believe SAFE is a useful program, but internal controls must be strengthened\nto ensure the SSA staff responsible for corrective action complete those actions timely\nand satisfy the security needs of the office. Additionally, OPSS should make an effort\nto address older recommendations before SAFE implementation. Some of these\nrecommendations require little or no funding and should be immediately addressed and\nresolved.\n\nWe recommend SSA:\n\n1. Monitor and resolve all outstanding FY 2006 and 2007 PSFR recommendations\n   promptly.\n\n2. Revise SSA policy to require that the regions enter all remedial action into SAFE\n   promptly. Also, SSA should remind all field office managers, assistant managers\n   and area directors on the use of SAFE and ensure recommendations are addressed\n   timely.\n\n3. Ensure all contractor personnel (including subcontractors) who work on the UCG\n   contract have a favorable suitability determination.\n\x0cPage 8 - The Commissioner\n\n\nAGENCY COMMENTS AND OIG RESPONSE\nSSA agreed with the recommendations. The full text of the Agency\xe2\x80\x99s comments is\nincluded in Appendix C.\n\n\n\n\n                                            Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                       Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 Unified Consultants Group\xe2\x80\x99s Most Frequently Identified Field Office\n             Security Issues\n\nAPPENDIX E \xe2\x80\x93 Social Security Administration\xe2\x80\x99s Tier Security Enhancements\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                        Appendix A\n\nAcronyms\nAIMS    Administrative Instructions Manual System\nCCTV    Closed Circuit Television System\nCPSPM   Center for Personnel Security and Project Management\nFY      Fiscal Year\nGAM     General Administration Manual\nMRM     Materiel Resources Manual\nODAR    Office of Disability Adjudication and Review\nOFM     Office of Facilities Management\nOIG     Office of the Inspector General\nOPSS    Office of Protective Security Services\nPSAP    Physical Security Action Plan\nPSC     Physical Security Coordinator\nPSFR    Physical Security Facility Review\nSAFE    Security Assessments and Funded Enhancements\nSAS     Space Allocation Standards\nSSA     Social Security Administration\nUCG     Unified Consultants Group, Incorporated\n\x0c                                                                      Appendix B\n\nScope and Methodology\nTo accomplish our objectives, we:\n\n   \xef\x83\x98 Reviewed the Unified Consultants Group, Inc., (UCG) contract SS00-05-60015\n     and contract modifications for Fiscal Years (FY) 2006 through 2008. Also, we\n     reviewed the Social Security Administration\xe2\x80\x99s (SSA) Administrative Instructions\n     Manual System sections related to physical security.\n\n   \xef\x83\x98 Reviewed the Office of Protective Security Services\xe2\x80\x99 physical security facility\n     review (PSFR) site selection list.\n\n   \xef\x83\x98 Sampled 55 PSFR reports and reviewed the findings and recommendations.\n     Additionally, we assessed the reported information to ensure compliance with the\n     contract.\n\n      \xe2\x80\xa2   The base year contract included the requirement for 100 physical security\n          surveys. The subsequent option years require 106 physical security surveys\n          per option year.\n\n      \xe2\x80\xa2   For FYs 2006 and 2007, we sorted the sites visited by Region. We selected\n          the first two sites visited in each Region. For FY 2006, 9 Regions were\n          visited; therefore, we reviewed 18 site reports. For FY 2007, 10 Regions\n          were visited; therefore, we reviewed 20 site reports.\n\n      \xe2\x80\xa2   Additionally, we ensured each report contained the items required by the\n          contract and the required number of PSFRs were completed.\n\n      \xe2\x80\xa2   For FY 2008, we used December 1st as the cut-off date (since this year was\n          on-going). We reviewed the reports for all 17 sites visited during the first\n          2 months of FY 2008.\n\n   \xef\x83\x98 Evaluated internal controls at UCG and SSA\xe2\x80\x99s Offices of Protective Security\n     Services, Acquisition and Grants, and Finance to determine if the processes\n     were functioning properly, such as, contract invoices were properly reviewed and\n     paid.\n\n   \xef\x83\x98 Interviewed staff at UCG and SSA\xe2\x80\x99s Offices of Protective Security Services,\n     Acquisition and Grants, and Finance.\n\n\n\n\n                                          B-1\n\x0c   \xef\x83\x98 Evaluated OPSS\xe2\x80\x99 oversight of UCG to ensure the contractor\xe2\x80\x99s compliance with\n     the contract, which included OPSS\xe2\x80\x99 examining and approving of UCG\xe2\x80\x99s invoices\n     for our sample group.\n\n   \xef\x83\x98 Obtained written responses from the Regional and Office of Disability\n     Adjudication and Review physical security coordinators on their monitoring\n     process and the status of corrective actions for our sample group.\n\n   \xef\x83\x98 Conducted interviews with selected site managers a week after UCG completed\n     reviews at SSA field office sites. We obtained information on the contractor\n     actions and the site manager\xe2\x80\x99s receptiveness to the findings.\n\n   \xef\x83\x98 Visited seven field offices in our sample and observed the corrective actions.\n\nWe performed our audit at the SSA Headquarters and field offices in Boston, New York,\nPhiladelphia, Atlanta, and Kansas City from November 2007 through May 2008. We\nfound the data used for this audit were sufficiently reliable to meet our objectives. The\nentities audited were the Offices of Acquisition and Grants, and Protective Security\nServices under the Deputy Commissioner for Budget, Finance and Management.\n\nWe conducted this audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our objectives. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our objectives.\n\n\n\n\n                                           B-2\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                        SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:     September 18, 2008                                                    Refer To: S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      David V. Foster /s/\n           Executive Counselor to the Commissioner\n\nSubject    Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n           Contract with Unified Consultants Group, Inc., Contract Number SS00-05-60015\xe2\x80\x9d (A-15-08-\n           18033)--INFORMATION\n\n\n          We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Attached is our response to the\n          recommendations.\n\n          Please let me know if we can be of further assistance. Please direct staff inquiries to\n          Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n\n          Attachment\n\n\n\n\n                                                        C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S CONTRACT WITH UNIFIED\nCONSULTANTS GROUP, INC., CONTRACT NUMBER SS00-05-60015\xe2\x80\x9d (A-15-08-18033)\n\nThank you for the opportunity to review and provide comments on this draft report.\n\nRecommendation 1\n\nMonitor and resolve all outstanding fiscal year 2006 and 2007 Physical Security Facility Review\nrecommendations promptly.\n\nComment\n\nWe agree. We will monitor and resolve all outstanding fiscal year 2006 and 2007 Physical\nSecurity Facility Review recommendations.\n\nRecommendation 2\n\nRevise policy to require that the regions enter all remedial action into Security Assessments and\nFunded Enhancements (SAFE) promptly. Also, remind all field office managers, assistant\nmanagers, and area directors on the use of SAFE and ensure recommendations are addressed\ntimely.\n\nComment\n\nWe agree. On August 22, 2008, we issued the Administrative Instructions Manual System\n(AIMS) 12.06, which mandates SAFE usage. We are working to update AIMS 12.06 to include\ntimeframes for remedial actions. By March 31, 2009, we will complete updates to SAFE. This\nupdate will remind users of pending actions that need handling, to update Physical Security\nAction Plans/Occupant Emergency Plans, of pending remedial actions, etc. Any pending items\nthat do not require funding will be corrected within 30 days of the security review report.\nDeficiencies identified that require funding will be corrected within 12 months of the security\nreview report or an extension must be requested.\n\nRecommendation 3\n\nEnsure all contractor personnel, (including subcontractors), who work on the Unified Consultants\nGroup, Incorporated (UCG) contract, have a favorable suitability determination.\n\nComment\n\nWe agree. We have identified a single point of contact to review and monitor all persons\nworking under the UCG contract. We will ensure all UCG employees have proper suitability\ndeterminations prior to performing duties.\n\n\n\n                                               C-2\n\x0c                                                                 Appendix D\n\nUnified Consultants Group\xe2\x80\x99s Most Frequently\nIdentified Field Office Security Issues\nReception:\n\n1. Reception area chairs/Other objects are not secured.\n\nAccess:\n\n1. Keys are not stamped "Do not duplicate."\n\nDoors:\n\n1. No deadbolt equivalent lock on perimeter doors.\n\nIntrusion Detection Systems and Duress:\n\n1. Intrusion detection system or sensors are inadequate.\n2. Install/improve closed-circuit television system.\n3. Install/improve duress alarm system.\n\nLighting:\n\n1. Inadequate or inoperative exterior lighting.\n2. Emergency lighting is not tested monthly.\n3. Inadequate or inoperative emergency lighting/no flashlight.\n\nPlans, Policies and Procedures:\n\n1. Update and test the Physical Security Action Plan (PSAP) and Occupant\n   Emergency Program.\n2. Revise the PSAP/provide employees copies.\n\nGuard Services:\n\n1. Guard post orders are inadequate/ No Contract Guard Manual.\n\nExterior:\n\n1. Utilities are not protected.\n\x0c                                                                               Appendix E\n\nSocial Security Administration\xe2\x80\x99s Tier Security\nEnhancements\nTier 1 Security Enhancements 1\n\n      Management is to ensure that, in Social Security Administration (SSA) offices\n      dealing with the public, the following mandatory Tier 1 security enhancements are in\n      place:\n\n      1. Duress (panic) alarms at all workstations used for interviewing the public. This\n         also includes the reception counter and the private interview room in field offices.\n\n      2. Peepholes in exterior and interior doors as needed (and installed at wheel chair\n         height if appropriate). Office of Disability Adjudication and Review (ODAR)\n         hearing rooms are to have peepholes which look into the rooms.\n\n      3. Locks and panic bars on exterior and interior doors as needed. Locks are to\n         meet the security locking requirements in the current SSA or ODAR Space\n         Allocation Standards (SAS). Due to technology developments, types of locks\n         may be changed as long as the intent of the SAS is met. Locks are to be\n         installed in accordance with local fire and building codes.\n\n      4. Intrusion detection system.\n\n      5. Security lighting (interior and exterior) at building entrances and in parking areas\n         controlled by SSA for employee and visitor safety.\n\nTier 2 Security Enhancements 2\n\n      Although not mandated, management is to consider the following Tier 2\n      enhancements:\n\n      1. Emergency lighting to provide sufficient lighting for employees to safely evacuate\n         the office during power failures and other emergencies.\n\n      2. Emergency power back-up systems for critical security systems such as the\n         intrusion detection system.\n\n1\n Administrative Instructions Manual System (AIMS), General Administration Manual (GAM) \xc2\xa7 12.06.07 C,\nTier 1 Security Enhancements.\n2\n    AIMS, GAM \xc2\xa7 12.06.07 D, Tier 2 Security Enhancements.\n\n\n                                                 E-1\n\x0c3. Closed circuit television (CCTV) systems (Refer to OFM memorandum dated\n   April 25, 2000 entitled \xe2\x80\x9cUse of CCTVs Within SSA/ODAR Offices\xe2\x80\x9d, available by\n   contacting OPSS (410) 965-4544).\n\n4. Physical modifications to the space, such as the installation of barrier walls,\n   Plexiglas reception windows, separate restrooms for the public, etc.\n\n\n\n\n                                        E-2\n\x0c                                                                      Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kristen Schnatterly, Acting Director, Financial Audit Division, (410) 965-0433\n\n   Mark Meehan, Acting Audit Manager, (410) 966-7147\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Sig Wisowaty, Senior Auditor\n\n   Tonia Hill, Auditor\n\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-15-08-18033.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                 Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                           Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                          Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'